CN112769859B - Network attack stage statistical and prediction method based on Markov chain - Google Patents

Network attack stage statistical and prediction method based on Markov chain Download PDF

Info

Publication number
CN112769859B
CN112769859B CN202110092582.0A CN202110092582A CN112769859B CN 112769859 B CN112769859 B CN 112769859B CN 202110092582 A CN202110092582 A CN 202110092582A CN 112769859 B CN112769859 B CN 112769859B
Authority
CN
China
Prior art keywords
attack
stage
state transition
markov chain
transition matrix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110092582.0A
Other languages
Chinese (zh)
Other versions
CN112769859A (en
Inventor
任传伦
郭世泽
官弼根
吴栋
夏建民
俞赛赛
刘晓影
乌吉斯古愣
孟祥頔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 15 Research Institute
Original Assignee
CETC 15 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 15 Research Institute filed Critical CETC 15 Research Institute
Priority to CN202110092582.0A priority Critical patent/CN112769859B/en
Publication of CN112769859A publication Critical patent/CN112769859A/en
Application granted granted Critical
Publication of CN112769859B publication Critical patent/CN112769859B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/01Probabilistic graphical models, e.g. probabilistic networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Algebra (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a Markov chain-based network attack stage statistical and prediction method, which comprises the following specific steps: establishing a Markov chain-based state transition matrix, establishing a state space according to an attack process of a network attack killer chain, carrying out probability statistics on attack state transitions generated by each attack method in the attack process, and establishing the Markov chain state transition matrix; correcting the Markov chain-based state transition matrix, and correcting missing or wrong state data in the Markov chain-based state transition matrix due to incomplete statistical data; and predicting the attack stage in the network attack killing chain by using a Markov chain model. The invention combines the widely used network attack chain and Markov chain, so that the network attack event statistics is more suitable for application in prediction, thereby improving the accuracy of the attack prediction model.

Description

Network attack stage statistical and prediction method based on Markov chain
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method for counting and predicting a network attack stage by using a Markov chain in a network killing chain.
Background
Generally, a network attack consists of multiple attack phases, wherein the success of a previous phase can trigger a next phase; while a failure of one stage means a failure of the entire attack. If the network attack detection is comprehensive and accurate, we can see that each attack method is a phase-by-phase, and the whole attack phase is similar to a chain. However, because the span of the network attack event is long, there are many attack points (springboards, zombies, reflectors, etc.), it is extremely difficult to completely detect all stages of the network attack, so that the whole network attack process cannot be comprehensively mastered, and certainly, the attack method occurring at each stage cannot be accurately counted.
The characteristics of the network attack killer chain show that the network attack accords with the characteristic requirements of the Markov chain, namely the network attack is transferred to the next state and is only related to the current state, and the network attack killer chain is irrelevant to the previous state, and based on the characteristic, the invention discloses a network attack stage statistical and prediction method based on the Markov chain aiming at the problems of incomplete data and inaccurate prediction obtained by the existing network attack statistical method.
Disclosure of Invention
The invention discloses a network attack stage statistics and prediction method based on a Markov chain, aiming at the problems of incomplete attack statistical data and large statistical deviation based on incomplete data in the existing network attack statistical method. Therefore, the method can effectively avoid the problem of large prediction deviation caused by incomplete statistical data of the attack stage in the attack chain.
The invention discloses a network attack stage statistical and prediction method based on a Markov chain, which comprises the following specific steps:
s1, establishing a Markov chain-based state transition matrix, establishing a state space according to the attack process of the network attack killing chain, carrying out probability statistics on attack state transitions generated by each attack method in the attack process, and establishing the Markov chain state transition matrix;
s2, modifying the state transition matrix based on the markov chain, and modifying missing or wrong state data in the state transition matrix based on the markov chain due to incomplete statistical data according to the characteristic that the sum of each row of data elements of the state transition matrix is 1 (because each row represents its own probability distribution).
And S3, predicting the attack stage in the network attack killing chain by using the Markov chain model, and predicting the occurrence probability of the next attack stage by using the Markov chain model.
The establishing of the state transition matrix based on the markov chain described in step S1 specifically includes:
s11, extracting attack events, capturing and identifying the attack events in the offline or real-time network flow by using intrusion detection software or probe software (such as Suricata and the like), and dividing the attack events into corresponding attack stages according to the characteristics of the attack events;
s12, correlating the attack event, detecting the attack method according to the extracted viruses contained in the attack event, the definition of the virus sample library and the attack stage in the network killing chain, and correlating the attack event with the previously detected attack event under the same kind of attack method;
s13, performing attack probability statistics, dividing attack events detected in step S12 according to attack chain attack phases, then selecting a certain day before as a starting time point of the statistics, dividing a time period from the starting time point to the current time into a plurality of continuous time intervals according to a fixed time length (such as N days), and calculating the probability of the attack phase occurring in each time interval, wherein the calculation process specifically includes:
s131, calculating the occurrence weight of the j attack stage in the ith time interval
Figure BDA0002913247280000031
Wherein j represents the number label of the attack stage, and when j is 1, 2, 3, 4, 5, 6 and 7, the attack stage is respectively the reconnaissance and tracking, the weapon construction, the load delivery, the vulnerability utilization, the installation and implantation, the command and control and the target achievement; m represents the weight value sequence number of the attack stage, b1、b2、b3、b4、b5、b6、b7Respectively representing weights of the seven attack stages of reconnaissance tracking, weapon construction, load delivery, vulnerability exploitation, installation implantation, command and control and target achievement in the current attack method; p is a radical of1,i、p2,i、p3,i、p4,i、p5,i、p6,i、p7,iRespectively representing the times of the seven attack stages of scouting and tracking, weapon construction, load delivery, vulnerability exploitation, installation and implantation, command and control and target achievement in the ith time interval;
s132, calculating a heat of occurrence set H of the attack stage j in the ith time intervali,j=[G1,j,G2,j,G3,j,...,Gi,j]。
S133, simplifying the heat of occurrence set data by an extreme method to obtain the normalized heat of occurrence of the attack stage j in the ith time interval, namely
Figure BDA0002913247280000032
S134, calculating the transition probability of each attack stage from the ith time interval to the (i + 1) th time interval, wherein the expression of the transition probability from the jth attack stage to the (j + n) th attack stage from the ith time interval to the (i + 1) th time interval is Ti,i+1,j,j+n=Hi′i+1,j+n′-H′i,jFrom the ith time interval to the (i + 1) th time interval, from the jth attack stage toThe expression of the transition probability of the j-n attack stage is Ti,i+1,j,j-n=H′i+1,j′-H′i,j-n' where n is more than or equal to 0 and less than or equal to 7, j + n is more than or equal to 1 and less than or equal to 7, and j-n is more than or equal to 1 and less than or equal to 7.
S14, establishing corresponding Markov chain-based state transition matrix for each attack method.
The state transition matrix based on the markov chain may adopt an expression form of the attack probability statistical state transition statistical table shown in table 1.
TABLE 1 attack probability statistics State transition statistics Table
Figure BDA0002913247280000041
The modification of the state transition matrix based on the markov chain in step S2 specifically includes:
s21, Markov chain characteristic screening, analyzing the Markov chain-based state transition matrix established in the step S1, and selecting the Markov characteristic suitable for the matrix, wherein the Markov characteristic specifically comprises intercommunity, periodicity, transient, constant return, ergodic or absorptive state and the like. According to the selected Markov characteristic, the Markov state transition probability matrix is marked as P ═ Pm,n]M is more than or equal to 1 and n is less than or equal to 7. Wherein, Pm,nRepresenting the probability that the attack is in state m for the ith time interval and in state n for the (i + 1) th time interval.
S22, determining the correction principle of the state transition matrix, and determining the principle of correcting the state transition matrix of each attack method according to the Markov characteristic selected in the step S21, wherein the expression of the correction principle is as follows:
Figure BDA0002913247280000042
Figure BDA0002913247280000043
wherein k is the sequence number of the traversal attack stage of the accumulation operation, Tm,nRepresenting the total transition probability of the mth attack state to the nth attack state;
s23, correcting the data in the state transition matrix, and completing the missing data in the state transition matrix according to a state transition matrix correction principle formula to obtain a corrected state transition matrix based on a Markov chain:
Figure BDA0002913247280000051
the predicting the attack stage in the network attack killing chain by using the markov chain in step S3 specifically includes:
and S31, extracting attack characteristics, namely extracting fragments of the traffic data in transmission for detecting the attack event in the step S32.
And S32, detecting the attack event, namely detecting the flow data packet extracted in the step S31 and judging whether the flow data packet has the attack event or not.
S33, attack event correlation, determines to which stage of which attack method the attack event detected in step S32 belongs.
And S34, predicting the attack, namely predicting the probability of the next attack action of the attacker by using the state transition matrix in the Markov chain model according to the attack event detected in the step S32, wherein the specific prediction method is that the stage of the currently detected attack event is z,1 is less than or equal to z and less than or equal to 7, other stages are z', and the current state vector is set as C ═ C [ [ C ] C [, C [ ]1 c2 c3 c4 c5c6 c7]Wherein c isz=1,cz'0, z' ≠ z, and the next state vector is D ═ C × P ═ D1 d2 d3 d4 d5 d6d7]Wherein d isz+1Is the probability of the next attack event occurring.
And S35, verifying prediction and verifying the obtained prediction result.
The invention has the beneficial effects that:
1. the invention provides a network attack statistics and prediction model construction method, which combines a widely used network attack chain and a Markov chain, improves the network attack event statistics and future attack prediction methods, and enables the network attack event statistics to be more suitable for being applied to prediction, thereby improving the accuracy of an attack prediction model.
2. The invention improves the prior network attack event statistical method, so that the statistical result of the network attack event is closer to the practical application; meanwhile, aiming at the condition that the statistical result of the attack event is inaccurate, the characteristic of a Markov chain is used for processing the statistical result, so that the adaptability of the prediction model is wider.
Drawings
FIG. 1 is a network attack killing chain, an attack method thereof and an attack event representation diagram;
FIG. 2 is an example Markov chain state transition matrix of the present invention;
FIG. 3 is a flow chart of a Markov chain state transition matrix established by the present invention;
FIG. 4 is a flow chart of the modified Markov chain state transition matrix data of the present invention;
FIG. 5 is a flow chart of the present invention for predicting attack phases in a cyber attack killing chain using Markov chains.
Detailed Description
For a better understanding of the present disclosure, an example is given here.
The invention discloses a network attack stage statistical and prediction method based on a Markov chain, and FIG. 1 is a network attack killing chain, an attack method thereof and an attack event representation diagram; FIG. 2 is an example Markov chain state transition matrix of the present invention; FIG. 3 is a flow chart of the present invention for building a Markov chain state transition matrix; FIG. 4 is a flow chart of the modified Markov chain state transition matrix data of the present invention; FIG. 5 is a flow chart of the present invention for predicting attack phases in a cyber attack killing chain using Markov chains. The method comprises the following specific steps:
s1, establishing a Markov chain-based state transition matrix, establishing a state space according to the attack process of the network attack killing chain, carrying out probability statistics on attack state transitions generated by each attack method in the attack process, and establishing the Markov chain state transition matrix;
s2, modifying the state transition matrix based on the markov chain, and modifying missing or wrong state data in the state transition matrix based on the markov chain due to incomplete statistical data according to the characteristic that the sum of each row of data elements of the state transition matrix is 1 (because each row represents its own probability distribution).
And S3, predicting the attack stage in the network attack killing chain by using the Markov chain model, and predicting the occurrence probability of the next attack stage by using the Markov chain model.
The establishing of the state transition matrix based on the markov chain described in step S1 specifically includes:
s11, extracting attack events, capturing and identifying the attack events in the offline or real-time network flow by using intrusion detection software or probe software (such as Suricata and the like), and dividing the attack events into corresponding attack stages according to the characteristics of the attack events;
s12, correlating the attack event, detecting the attack method according to the extracted viruses contained in the attack event, the definition of the virus sample library and the attack stage in the network killing chain, and correlating the attack event with the previously detected attack event under the same kind of attack method;
s13, performing attack probability statistics, dividing attack events detected in step S12 according to attack chain attack phases, then selecting a certain day before as a starting time point of the statistics, dividing a time period from the starting time point to the current time into a plurality of continuous time intervals according to a fixed time length (such as N days), and calculating the probability of the attack phase occurring in each time interval, wherein the calculation process specifically includes:
s131, calculating the occurrence weight of the j attack stage in the ith time interval
Figure BDA0002913247280000071
Wherein j represents the number label of the attack stage, and when j is 1, 2, 3, 4, 5, 6 and 7, the attack stage is respectively the reconnaissance and tracking, the weapon construction, the load delivery, the vulnerability utilization, the installation and implantation, the command and control and the target achievement; m represents the weight value sequence number of the attack stage, b1、b2、b3、b4、b5、b6、b7Respectively representing weights of the seven attack stages of reconnaissance tracking, weapon construction, load delivery, vulnerability exploitation, installation implantation, command and control and target achievement in the current attack method; p is a radical of1,i、p2,i、p3,i、p4,i、p5,i、p6,i、p7,iRespectively representing the times of the seven attack stages of scouting and tracking, weapon construction, load delivery, vulnerability exploitation, installation and implantation, command and control and target achievement in the ith time interval;
s132, calculating a heat of occurrence set H of the attack stage j in the ith time intervali,j=[G1,j,G2,j,G3,j,...,Gi,j]。
S133, simplifying the heat of occurrence set data by an extreme method to obtain the normalized heat of occurrence of the attack stage j in the ith time interval, namely
Figure BDA0002913247280000081
S134, calculating the transition probability of each attack stage from the ith time interval to the (i + 1) th time interval, wherein the expression of the transition probability from the jth attack stage to the (j + n) th attack stage from the ith time interval to the (i + 1) th time interval is Ti,i+1,j,j+n=H′i+1,j+n′-H′i,jThe expression of the transition probability from the ith time interval to the (i + 1) th time interval from the jth attack stage to the (j-n) th attack stage is Ti,i+1,j,j-n=H′i+1,j′-H′i,j-n' where n is more than or equal to 0 and less than or equal to 7, j + n is more than or equal to 1 and less than or equal to 7, and j-n is more than or equal to 1 and less than or equal to 7.
S14, establishing corresponding Markov chain-based state transition matrix for each attack method.
The state transition matrix based on the markov chain may adopt an expression form of the attack probability statistical state transition statistical table shown in table 1.
TABLE 1 attack probability statistics State transition statistics Table
Figure BDA0002913247280000091
The modification of the state transition matrix based on the markov chain in step S2 specifically includes:
s21, Markov chain characteristic screening, analyzing the Markov chain-based state transition matrix established in the step S1, and selecting the Markov characteristic suitable for the matrix, wherein the Markov characteristic specifically comprises intercommunity, periodicity, transient, constant return, ergodic or absorptive state and the like. According to the selected Markov characteristic, the Markov state transition probability matrix is marked as P ═ Pm,n]M is more than or equal to 1 and n is less than or equal to 7. Wherein, Pm,nRepresenting the probability that the attack is in state m for the ith time interval and in state n for the (i + 1) th time interval.
S22, determining the correction principle of the state transition matrix, and determining the principle of correcting the state transition matrix of each attack method according to the Markov characteristic selected in the step S21, wherein the expression of the correction principle is as follows:
Figure BDA0002913247280000092
Figure BDA0002913247280000093
wherein k is the sequence number of the traversal attack stage of the accumulation operation, Tm,nRepresenting the total transition probability of the mth attack state to the nth attack state;
s23, correcting the data in the state transition matrix, and completing the missing data in the state transition matrix according to a state transition matrix correction principle formula to obtain a corrected state transition matrix based on a Markov chain:
Figure BDA0002913247280000101
the predicting the attack stage in the network attack killing chain by using the markov chain in step S3 specifically includes:
and S31, extracting attack characteristics, namely extracting fragments of the traffic data in transmission for detecting the attack event in the step S32.
And S32, detecting the attack event, namely detecting the flow data packet extracted in the step S31 and judging whether the flow data packet has the attack event or not.
S33, attack event correlation, determines to which stage of which attack method the attack event detected in step S32 belongs.
And S34, predicting the attack, namely predicting the probability of the next attack action of the attacker by using the state transition matrix in the Markov chain model according to the attack event detected in the step S32, wherein the specific prediction method is that the stage of the currently detected attack event is z,1 is less than or equal to z and less than or equal to 7, other stages are z', and the current state vector is set as C ═ C [ [ C ] C [, C [ ]1 c2 c3 c4 c5c6 c7]Wherein c isz=1,cz'0, z' ≠ z, and the next state vector is D ═ C × P ═ D1 d2 d3 d4 d5 d6d7]Wherein d isz+1Is the probability of the next attack event occurring.
And S35, verifying prediction and verifying the obtained prediction result.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (2)

1. A network attack stage statistical and prediction method based on Markov chain is characterized by comprising the following specific steps:
s1, establishing a Markov chain-based state transition matrix, establishing a state space according to the attack process of the network attack killing chain, carrying out probability statistics on attack state transitions generated by each attack method in the attack process, and establishing the Markov chain state transition matrix;
s2, modifying the Markov chain-based state transition matrix, and modifying missing or wrong state data in the Markov chain-based state transition matrix due to incomplete statistical data according to the characteristic that the sum of each row of data elements of the state transition matrix is 1;
s3, using Markov chain model to predict the attack stage in the network attack and kill chain, and using Markov chain model to predict the probability of next attack stage;
the establishing of the state transition matrix based on the markov chain described in step S1 specifically includes:
s11, extracting attack events, capturing and identifying the attack events in the offline or real-time network flow by using intrusion detection software or probe software, and dividing the attack events into corresponding attack stages according to the characteristics of the attack events;
s12, correlating the attack event, detecting the attack method according to the extracted viruses contained in the attack event, the definition of the virus sample library and the attack stage in the network killing chain, and correlating the attack event with the previously detected attack event under the same kind of attack method;
s13, carrying out attack probability statistics, dividing attack events detected in the step S12 according to attack stages of an attack chain, then selecting a certain day before as a starting time point of the statistics, dividing a time period from the starting time point to the current time into a plurality of continuous time intervals according to a fixed time length, and calculating the probability of the attack stage of each time interval;
s14, for each attack method, establishing a corresponding Markov chain-based state transition matrix;
the calculating of the probability of the attack phase occurring in each time interval in step S13 specifically includes:
s131, calculating the occurrence weight of the j attack stage in the ith time interval
Figure FDA0003159332390000021
Wherein j represents the number label of the attack stage, and when j is 1, 2, 3, 4, 5, 6 and 7, the attack stage is respectively the reconnaissance and tracking, the weapon construction, the load delivery, the vulnerability utilization, the installation and implantation, the command and control and the target achievement; m represents the weight value sequence number of the attack stage, b1、b2、b3、b4、b5、b6、b7Respectively representing weights of the seven attack stages of reconnaissance tracking, weapon construction, load delivery, vulnerability exploitation, installation implantation, command and control and target achievement in the current attack method; p is a radical of1,i、p2,i、p3,i、p4,i、p5,i、p6,i、p7,iRespectively representing the times of the seven attack stages of scouting and tracking, weapon construction, load delivery, vulnerability exploitation, installation and implantation, command and control and target achievement in the ith time interval;
s132, calculating a heat of occurrence set H of the attack stage j in the ith time intervali,j=[G1,j,G2,j,G3,j,...,Gi,j];
S133, simplifying the heat of occurrence set data by an extreme method to obtain the normalized heat of occurrence of the attack stage j in the ith time interval, namely
Figure FDA0003159332390000022
S134, calculating each attack stage from the ith time interval to the (i + 1) th time intervalTransition probability, wherein the expression of the transition probability from the ith time interval to the (i + 1) th time interval to the (j + n) th attack stage is Ti,i+1,j,j+n=H′i+1,j+n′-H′i,j' the expression of the transition probability from the ith time interval to the (i + 1) th time interval from the jth attack stage to the (j-n) th attack stage is Ti,i+1,j,j-n=H′i+1,j′-H′i,j-n′,
Wherein n is more than or equal to 0 and less than or equal to 7, j + n is more than or equal to 1 and less than or equal to 7, and j-n is more than or equal to 1 and less than or equal to 7;
the modification of the state transition matrix based on the markov chain in step S2 specifically includes:
s21, Markov chain characteristic screening, wherein the Markov chain-based state transition matrix established in the step S1 is analyzed, and the Markov characteristic suitable for the matrix is selected, and specifically comprises interoperability, periodicity, transient, constant return, ergodicity or absorption state; according to the selected Markov characteristic, the Markov state transition probability matrix is marked as P ═ Pm,n]M is more than or equal to 1, and n is less than or equal to 7; wherein, Pm,nRepresenting the probability that the attack is in state m for the ith time interval and in state n for the (i + 1) th time interval;
s22, determining the correction principle of the state transition matrix, and determining the principle of correcting the state transition matrix of each attack method according to the Markov characteristic selected in the step S21, wherein the expression of the correction principle is as follows:
Figure FDA0003159332390000031
Figure FDA0003159332390000032
wherein k is the sequence number of the traversal attack stage of the accumulation operation, Tm,nRepresenting the total transition probability of the mth attack state to the nth attack state;
s23, correcting the data in the state transition matrix, and completing the missing data in the state transition matrix according to a state transition matrix correction principle formula to obtain a corrected state transition matrix based on a Markov chain:
Figure FDA0003159332390000033
2. the markov chain-based network attack stage statistics and prediction method of claim 1, wherein the step S3 of predicting the attack stage in the network attack killing chain by using the markov chain specifically comprises:
s31, extracting attack characteristics, extracting fragments of the traffic data in transmission, and detecting the attack events in the step S32;
s32, detecting the attack event, detecting the flow data packet extracted in the step S31, and judging whether the flow data packet has the attack event;
s33, associating attack events, and determining which stage of which attack method the attack event detected in the step S32 belongs to;
and S34, predicting the attack, namely predicting the probability of the next attack action of the attacker by using the state transition matrix in the Markov chain model according to the attack event detected in the step S32, wherein the specific prediction method is that the stage of the currently detected attack event is z,1 is less than or equal to z and less than or equal to 7, other stages are z', and the current state vector is set as C ═ C [ [ C ] C [, C [ ]1 c2 c3 c4 c5 c6c7]Wherein c isz=1,cz'If 0, z' ≠ z, then the next state vector is D ═ C × P ═ D1 d2 d3 d4 d5 d6 d7]Wherein d isz+1Is the probability of the next attack event occurring;
and S35, verifying prediction and verifying the obtained prediction result.
CN202110092582.0A 2021-01-24 2021-01-24 Network attack stage statistical and prediction method based on Markov chain Active CN112769859B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110092582.0A CN112769859B (en) 2021-01-24 2021-01-24 Network attack stage statistical and prediction method based on Markov chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110092582.0A CN112769859B (en) 2021-01-24 2021-01-24 Network attack stage statistical and prediction method based on Markov chain

Publications (2)

Publication Number Publication Date
CN112769859A CN112769859A (en) 2021-05-07
CN112769859B true CN112769859B (en) 2021-08-27

Family

ID=75706900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110092582.0A Active CN112769859B (en) 2021-01-24 2021-01-24 Network attack stage statistical and prediction method based on Markov chain

Country Status (1)

Country Link
CN (1) CN112769859B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422186A (en) * 2021-12-21 2022-04-29 深信服科技股份有限公司 Attack detection method and device, electronic equipment and storage medium
CN114978617B (en) * 2022-05-06 2023-08-08 国网湖北省电力有限公司信息通信公司 Network attack threat statistics judgment method based on Markov process learning model
CN115941521B (en) * 2023-01-09 2023-05-30 广东工业大学 Data packet eigenvalue storage method based on Markov matrix
CN117221009B (en) * 2023-11-07 2024-02-20 国家工业信息安全发展研究中心 Network security situation prediction method, device, server and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108076040A (en) * 2017-10-11 2018-05-25 北京邮电大学 A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network attack target identification method based on attack graph and system
CN110874470A (en) * 2018-12-29 2020-03-10 北京安天网络安全技术有限公司 Method and device for predicting network space security based on network attack
CN111598475A (en) * 2020-05-22 2020-08-28 浙江工业大学 Power grid risk prediction method based on improved gray Markov model
CN112087420A (en) * 2020-07-24 2020-12-15 西安电子科技大学 Network killing chain detection method, prediction method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140041032A1 (en) * 2012-08-01 2014-02-06 Opera Solutions, Llc System and Method for Detecting Network Intrusions Using Statistical Models and a Generalized Likelihood Ratio Test
KR101615587B1 (en) * 2015-11-06 2016-05-11 국방과학연구소 System for implementing Deep Packet Inspection Simulation for detecting and analyzing cyber attack in electronic warfare and Method thereof
CN110365713B (en) * 2019-08-22 2021-12-14 中国科学技术大学 Network defense resource optimal allocation method for advanced persistent threat
CN111552973B (en) * 2020-06-02 2023-10-20 奇安信科技集团股份有限公司 Method and device for risk assessment of equipment, electronic equipment and medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108076040A (en) * 2017-10-11 2018-05-25 北京邮电大学 A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering
CN108418843A (en) * 2018-06-11 2018-08-17 中国人民解放军战略支援部队信息工程大学 Network attack target identification method based on attack graph and system
CN110874470A (en) * 2018-12-29 2020-03-10 北京安天网络安全技术有限公司 Method and device for predicting network space security based on network attack
CN111598475A (en) * 2020-05-22 2020-08-28 浙江工业大学 Power grid risk prediction method based on improved gray Markov model
CN112087420A (en) * 2020-07-24 2020-12-15 西安电子科技大学 Network killing chain detection method, prediction method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A Markov Multi-Phase Transferable Belief Model:;Georgios Ioannou,Panos Louvieris,Natalie Clewley,Gavin Powell;《 Proceedings of the 16th International Conference on Information Fusion》;20131021;全文 *
窃密型复杂网络攻击建模与识别方法研究;牛伟纳;《中国博士学位论文全文数据库信息科技辑》;20181015;全文 *

Also Published As

Publication number Publication date
CN112769859A (en) 2021-05-07

Similar Documents

Publication Publication Date Title
CN112769859B (en) Network attack stage statistical and prediction method based on Markov chain
CN110417721B (en) Security risk assessment method, device, equipment and computer readable storage medium
US20170026394A1 (en) Identifying threats based on hierarchical classification
Bansal et al. A comparative analysis of machine learning techniques for botnet detection
US20170186030A1 (en) Advertisement click-through rate correction method and advertisement push server
US11507881B2 (en) Analysis apparatus, analysis method, and analysis program for calculating prediction error and extracting error factor
Chen et al. Anomaly network intrusion detection using hidden Markov model
CN109194684B (en) Method and device for simulating denial of service attack and computing equipment
CN109698823B (en) Network threat discovery method
CN105681286A (en) Association analysis method and association analysis system
CN111107096A (en) Web site safety protection method and device
Ruohonen An empirical analysis of vulnerabilities in python packages for web applications
CN115987615A (en) Network behavior safety early warning method and system
CN112347474A (en) Method, device, equipment and storage medium for constructing security threat information
Brogi et al. Hidden Markov models for advanced persistent threats
Wang et al. Egeria: Efficient dnn training with knowledge-guided layer freezing
EP4111660B1 (en) Cyberattack identification in a network environment
CN111191683B (en) Network security situation assessment method based on random forest and Bayesian network
Anuar et al. A risk index model for security incident prioritisation
CN116668124A (en) Network attack influence situation analysis method, device, equipment and storage medium
KR102433581B1 (en) Social advanced persistent threat prediction system and method using time-series learning-type ensemble AI techniques
CN114189364B (en) Network node path reduction and prediction method based on Markov chain
Cho et al. Method of quantification of cyber threat based on indicator of compromise
CN110708296B (en) VPN account number collapse intelligent detection model based on long-time behavior analysis
Wang et al. A novel technique of recognising multi-stage attack behaviour

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant